Privacy Policy

Last updated: February 2026

1. Information We Collect

We collect information you provide directly to us, including:

• Account information (name, email, company details)
• Financial data you enter into the Service
• Communications you send to us
• Usage data and analytics
• Device and browser information

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process transactions and send related information
• Send technical notices and support messages
• Respond to your comments, questions, and requests
• Power AI-driven features like TimeFlow (with your consent)
• Detect, prevent, and address fraud and security issues

3. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This includes:

• AES-256 encryption of data in transit and at rest
• SOC 2 Type 2 certified hosting infrastructure (AWS)
• Regular penetration testing and security assessments
• Role-based access controls and multi-factor authentication
• Comprehensive audit logging of all data access

4. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you services. Financial records are retained for 7 years to comply with regulatory requirements (DCAA, SOX, and tax regulations).

Upon account deletion request, we remove personal data within 30 days while retaining only what is legally required for compliance.

5. Data Sharing

We do not sell your personal data. We may share your information with:

• Service providers who assist in our operations (under strict data processing agreements)
• Third-party integrations you authorize (e.g., QuickBooks, Plaid)
• Law enforcement when required by law

6. Cross-Border Data Transfers

LMNTL operates globally with data centers in the United States and the European Union. When we transfer personal data across borders, we ensure appropriate safeguards are in place:

• EU/UK to US transfers: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical measures.
• Data localization: EU customers can opt to have their data processed exclusively within the EU through Settings > Privacy > Data Residency.
• Adequacy decisions: For transfers to countries with adequacy decisions (Canada, UK, etc.), we rely on those frameworks.

Our sub-processors are contractually bound to the same data protection standards, and we maintain an up-to-date list of sub-processors available upon request.

7. Your Rights by Jurisdiction

7.1 European Union (GDPR)

If you are located in the EU/EEA, you have the following rights:

• Right of Access (Art. 15): Obtain confirmation and a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local Data Protection Authority

Legal Basis for Processing: We process your data based on: (a) contract performance, (b) legitimate interests (improving our services, security), (c) legal obligations, and (d) consent for optional features like AI insights.

7.2 United Kingdom (UK GDPR)

UK residents have the same rights as EU residents under the UK General Data Protection Regulation and the Data Protection Act 2018. You may lodge complaints with the Information Commissioner's Office (ICO).

7.3 Canada (PIPEDA)

If you are a Canadian resident, under PIPEDA you have the right to:

• Access your personal information held by us
• Challenge the accuracy and completeness of your information
• Know how your information is being used
• Withdraw consent (subject to legal restrictions)

You may file complaints with the Office of the Privacy Commissioner of Canada. Quebec residents have additional rights under Law 25.

7.4 Australia (Privacy Act)

Australian residents have rights under the Privacy Act 1988 and Australian Privacy Principles (APPs):

• Access to personal information we hold about you
• Correction of inaccurate information
• Complaint to the Office of the Australian Information Commissioner (OAIC)
• Option to deal with us anonymously or using a pseudonym where practicable

7.5 United States - California (CCPA/CPRA)

California residents have the following rights:

• Right to Know: Request disclosure of personal information collected, used, and disclosed
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information
• Right to Limit Use: Limit use of sensitive personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your rights

Do Not Sell My Personal Information: LMNTL does not sell personal information as defined by CCPA. However, you can formally register your preference via Settings > Privacy or by contacting us. We will honor Global Privacy Control (GPC) signals.

Categories of Personal Information: In the past 12 months, we have collected identifiers, commercial information, internet activity, geolocation data, and professional information as described in this policy.

7.6 Other US States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with privacy laws have similar rights to access, delete, and opt-out. Contact us to exercise your rights.

8. TimeFlow AI Data Handling

TimeFlow AI is our intelligent assistant that helps with financial analysis, anomaly detection, and workflow optimization. Here is how we handle your data:

• No Training on Your Data: We do not use your financial data to train machine learning models. Your data remains yours.
• On-Demand Processing: AI analysis occurs only when you request it or enable specific AI features.
• Secure Infrastructure: All AI processing occurs within our SOC 2 Type 2 certified hosting infrastructure (AWS). No data is sent to third-party AI providers.
• Ephemeral Processing: AI-generated insights are computed in real-time and not permanently stored unless you save them.
• Opt-Out Available: You can disable all AI features in Settings > Privacy > AI Preferences without affecting core functionality.
• Human Oversight: Critical financial decisions always require human confirmation. AI provides recommendations, not autonomous actions.

9. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and analyze how the Service is used.

• Essential Cookies: Required for the Service to function (authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how the Service is used (can be disabled)

You can manage cookie preferences in Settings > Privacy > Cookie Preferences or through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and sending an email notification for significant changes.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

• Email: privacy@lmntl.ai
• Data Protection Officer: dpo@lmntl.ai
• Mailing Address: LMNTL.AI Inc., Privacy Team, 548 Market St #35410, San Francisco, CA 94104, USA

For EU residents, you may also contact our EU representative. For UK residents, you may contact our UK representative. Details available upon request.